Although the recent $115 million settlement in the consolidated class action lawsuit against health insurer Anthem Inc. tied to a 2015 cyberattack is considered record-setting for data breach litigation, some terms of the settlement appear underwhelming for victims, says attorney James DeGraw.

Under the settlement approved by a California federal court on Aug. 16, most of the nearly 79 million affected individuals will receive no cash. Instead, most of the settlement fund will be used to fund two more years of credit monitoring and fraud resolution services for victims.

Also, under the settlement, about 13 percent of the fund has been reserved for cash reimbursements for any victims who paid out of pocket for security monitoring services. Plus, Anthem has agreed to nearly triple its cybersecurity budget.

"Credit monitoring itself as an award is frankly not that effective, at least in my personal view," DeGraw, who was not involved in the Anthem case, says in an interview with Information Security Media Group. "A persisting problem is that post-breach, [bad actors] can still potentially use the stolen records, including medical information, to cause harm."

A more affective approach for most consumers, DeGraw says, is to put a credit freeze on their accounts "which is a bit more cumbersome at times ... but that's a more effective remedy."

For breach victims, "there is no easy way to clean up your life," the attorney says. "You have a fair number of out-of-pocket costs, including taking a day off [from work] to file a report ... and maybe hire people to clean up your accounts and other things that have been opened in your name. It can be a hassle and it's time-consuming and it doesn't go away soon because we can't change our Social Security numbers or healthcare numbers relatively easily."

Is Budget Big Enough?

As for Anthem agreeing to triple its cybersecurity budget, "being a lawyer I'm naturally skeptical. Tripling off what?" he asks.

"That's an issue we see with many organizations the size of Anthem, and companies much smaller than Anthem: What is the security budget of the company? What does it include? Where is it flowing through? Is it part of an IT budget or a risk budget?

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.